Rundeck user permissions and access control setup

While using Rundeck I came across a very thin documentation with examples to show how to define the access control to individual roles and projects and in our company it was very much required to make different roles so that there will be segregation between who is who in rundeck system. For example we had some users which required readonly privileges to know if the job is completed and few users with run a job privilege but no modification to job and few users needed to have privileges to modify the jobs and work flows. So in this article we will discuss on what needs to be done to have the access rights set for individual users for better control on your rundeck system.

Before going deep on configurations below is the excerpt from rundeck official url about the access control policy and mechanism.

A Rundeck access control policy grants users and user groups certain privileges to perform actions against rundeck resources like projects, jobs, nodes, commands and API. Every action requested by a user is evaluated by the Rundeck authorization system and logged for reporting and auditing purposes. You can define role-based authorization to restrict users to only a subset of actions. This enables a self-service type interface, where some users have access to a limited set of executable actions.

Two dimensions of information dictate authorization inside Rundeck:

– group memberships assigned to a user login. – access control policy that grants access to one or more policy actions to a group or user.

In this article we will describe how you can create roles and provide access control like readonly/run/admin to individual projects and as a whole rundeck for users.

Things to achieve :

1. Create below roles with different access to projects for rundeck user permissions.

– user/upload : Role for a QA person or whoever uploads the release files to the system. This user will have the minimum privileges. – opsrm : A QA person or one of our CORD team member with privileges to run the jobs and complete the installation and release. – opsadmin : CORD POC of a project. Have higher privileges to modify and update work flows to suit the release. – superadmin : Very few selected CORD member with complete privileges to system like update, add, modify, delete in all projects flows, jobs, schedules, etc.

2. Define access control policies for all the roles created.

Assumptions:

1. Rundeck installed in /opt/rundeck directory using the rundeck launcher 2.5.1(current latest) from here with Oracle JDK version 1.7.0_55